NEW FROM CSX
By Rob Shapland, CRT, OSCP, OSWP
The Nexus | 13 March 2017
I have been a hacker for more than 8 years. There are so many things to learn that I believe I could spend 50 years just doing research and still not know everything. But if I were to turn to the dark side and truly attempt to break into an enterprise, to which of the hacking skills I have acquired would I turn?
The simple answer is none of them. If I were training a new person on how to really compromise an organization’s defenses, I would teach the individual very little about technical hacking. Instead, I would teach social engineering and it really would not take very long, as organizations’ defenses are almost nonexistent against this threat. Very little compliance or regulatory pressure exists to make organizations think about social engineering. In reality, even organizations spending millions on their network security systems are leaving the back door wide open.
Organizations that might be specifically targeted should think about the aim of the attackers. They probably want to steal some documents. The easiest way for them to do this is to have a valid username and password on the system, as Windows genuinely has no idea whether the person who is logging on is the owner of that account.
There are many ways to gain access to a username and password through traditional hacking methods, but they tend to be slow and loud, which means a good network security team will detect the attack. The easiest method is to pick up the phone, pretend to be a specific employee and ask the company service desk for a password reset. In many cases, the service desk employee will provide the new password right there and then, but sometimes organizational policy that it be conveyed only by email or voicemail.
If I were training a new person on how to really compromise an organization’s defenses, I would teach them very little about technical hacking. I would teach them social engineering.
However, simply playing dumb and asking for help always works. In the many times my team has tried this method of compromising a password, we have never failed. In one 5-minute phone call, all the organization’s defenses have been bypassed and I have a valid username and password for the system. If I have picked the right employee to impersonate (I use LinkedIn to make sure he/she has the job role I am looking for), then he/she will have access to the specific files I want to compromise.
I now have 2 choices of how to use this password to gain access to the files I am trying to steal. The easiest way is to use the organization’s own remote access systems. A Secure Sockets Layer (SSL) virtual private network (VPN) can usually be found by URL guessing, for example, remote.company.com or citrix.company.com. If the remote access solution does not use 2-factor authentication, then the network can be compromised immediately. If no remote access is available, then the second option is to walk into the building. Most organizations’ headquarters, and certainly regional offices, have so little security that simply tailgating in and sitting in a meeting room for 20 minutes is relatively risk free. With a valid username and password, 20 minutes is plenty of time to find the files needed and leave with them on a universal serial bus (USB) stick.
The purpose of this article is to make security professionals think about how an attacker would really compromise an organization and ensure that stakeholders are focusing their defensive efforts in the right areas. The threat from social engineering is hugely underestimated in nearly every organization, which leaves them wide open to a data breach. There are 2 key defenses: staff awareness and strong processes that are adhered to without exception. It is well worth investing some of the budget into hiring an expert to train the staff, then test the defenses. And repeat. And repeat….
Rob Shapland, CRT, OSCP, OSWP
Is an ethical hacker with more than 8 years of experience conducting penetration tests for hundreds of organizations from small businesses to major international organizations. He specializes in simulating advanced cyberattacks against corporate networks, combining technical attacks with his other hobby of dressing up and tricking his way into organization headquarters using social engineering techniques. He is also a regular speaker at events and conferences throughout Europe, and recently appeared on ITV as a cyber security adviser. He holds qualifications from SANS, Offensive Security and CREST, and has been trained in social engineering techniques by Chris Hadnagy, one of the world's leading practitioners and researchers.